A return to in-person public engagement at STFC

Since 2020, UKRI/STFC’s Scientific Computing Department (SCD) have developed several remote-first public engagement activities, drawing on its long and rich history of delivering face to face public engagement and outreach, as part of the wider STFC programme. With COVID19 restrictions lifted in the UK, STFC has been able to resume in-person public engagement, both on site and in public places. However, this has not meant a complete return to exclusively in-person engagement, but rather, recognising the clear benefits of remote engagement to meeting our strategic public engagement aims, STFC has produced a blended programme for 2022/23, with a mixture of in-person, remote and hybrid events. This paper presents how the remote activities have evolved since their initial creation, how the remote activities have become part of a blended programme and how the in-person activities in place since before the pandemic have been improved as a result of developing the remote activities

Guidelines for Secure Operation of Attribute Authorities and issuers of statements for entities (G071)

These guidelines describe the minimum requirements and recommendations for the secure operation of attribute authorities and similar services that make statements about an entity based on well-defined attributes. Adherence to these guidelines may help to establish trust between communities, operators of attribute authorities and issuers, and Relying Parties, infrastructures, and service providers. This document does not define an accreditation process

Maternal vitamin D during pregnancy and offspring autism and autism-associated traits:a prospective cohort study

Background There has been a growing interest in the association between maternal levels of vitamin D during pregnancy and offspring autism. However, whether any associations reflect causal effects is still inconclusive. Methods We used data from a UK-based pregnancy cohort study (Avon Longitudinal Study of Parents and Children) comprising 7689 births between 1991 and 1992 with maternal blood vitamin D levels recorded during pregnancy and at least one recorded outcome measure, including autism diagnosis and autism-associated traits. The association between each outcome with seasonal and gestational age-adjusted maternal serum 25-hydroxyvitamin D during pregnancy was estimated using confounder-adjusted regression models. Multiple imputation was used to account for missing data, and restricted cubic splines were used to investigate nonlinear associations. Mendelian randomization was used to strengthen causal inference. Results No strong evidence of an association between maternal serum 25-hydroxyvitamin D during pregnancy and any offspring autism-associated outcome was found using multivariable regression analysis (autism diagnosis: adjusted OR = 0.98, 95% CI = 0.90–1.06), including with multiple imputation (autism diagnosis: adjusted OR = 0.99, 95% CI = 0.93–1.06), and no evidence of a causal effect was suggested by Mendelian randomization (autism diagnosis: causal OR = 1.08, 95% CI = 0.46–2.55). Some evidence of increased odds of autism-associated traits at lower levels of maternal serum 25-hydroxyvitamin D was found using spline analysis. Limitations Our study was potentially limited by low power, particularly for diagnosed autism cases as an outcome. The cohort may not have captured the extreme lows of the distribution of serum 25-hydroxyvitamin D, and our analyses may have been biased by residual confounding and missing data. Conclusions The present study found no strong evidence of a causal link between maternal vitamin D levels in pregnancy and offspring diagnosis or traits of autism

Inverted CERN School of Computing 2023

This lecture will introduce the concepts of authentication and authorisation and their importance to modern research infrastructures. This will then be built upon by providing an overview of the existing WLCG authentication and authorisation infrastructure (AAI), before taking a deeper look at the token based AAI the grid is currently transitioning towards, covering the motivations for change, the technologies underpinning the design, and key workflows. The exercise class for this lecture will provide attendees with the opportunity to obtain tokens from an issuer, and then extract information from the token. This will build upon concepts from the lecture and give hands-on experience with the technologies underpinning the future of the WLCG AAI

25th International Conference on Computing in High Energy & Nuclear Physics

Since 2017, the Worldwide LHC Computing Grid (WLCG) has been working towards enabling token based authentication and authorisation throughout its entire middleware stack. Following the publication of the WLCG v1.0 Token Schema in 2019, middleware developers have been able to enhance their services to consume and validate OAuth2.0 tokens and process the authorization information they convey. Complex scenarios, involving mul- tiple delegation steps and command line flows, are a key challenge to be ad- dressed in order for the system to be fully operational. This paper expands on the anticipated token based workflows, with a particular focus on local storage of tokens and their discovery by services. The authors include a walk-through of this token flow in the RUCIO managed data-transfer scenario, including delega- tion to FTS and authorised access to storage elements. Next steps are presented, including the current target of submitting production jobs authorised by Tokens within 2021

Public Engagement in a Global Pandemic

UKRI/STFC’s Scientific Computing Department (SCD) has a long and rich history of delivering face to face public engagement and outreach, both on site and in public places, as part of the wider STFC programme. Due to the global COVID-19 pandemic, SCD was forced to abandon an extensive planned programme of public engagement, alongside altering the day-to-day working methods of the majority of its staff. SCD had to respond rapidly to create a new, remote only, programme for the summer and for the foreseeable future. This was initially an exercise in improvisation, identifying existing activities that could be delivered remotely with minimal changes. As the pandemic went on, SCD also created new resources specifically for a remote audience and adapted existing activities where appropriate, using our evaluation framework to ensure these activities continued to meet the aims of the in-person programme. This paper presents the process through which this was achieved, some of the benefits and challenges of remote engagement and the plans for 2021 and beyond

indigo-iam/iam: INDIGO Identity and Access Management Service v1.8.1p2

This release fixes a privilege escalation present in all previous IAM releases. See https://advisories.egi.eu/Advisory-EGI-SVG-2023-53

indigo-iam/iam: INDIGO Identity and Access Management Service v1.8.2p2

This release fixes a privilege escalation present in all previous IAM releases. See https://advisories.egi.eu/Advisory-EGI-SVG-2023-53

indigo-iam/iam: INDIGO Identity and Access Management Service v1.8.3

<h2>Recommendations</h2> <p>It is <strong>strongly</strong> recommended to <strong>make a backup of your database</strong> before upgrading to v1.8.3 because several migrations are planned. Also, remember that for updates from versions prior to v1.7.2 you <strong>must</strong> first upgrade to v1.7.2. The migration to v1.8.3 will take an amount of time which will be proportional to the amount of currently active access tokens. This means that if you are deploying IAM with some kind of liveness and readiness probes, it's probably better to <strong>switch them off</strong> before upgrading. This migration may take a long <strong>time.</strong></p> <h2>Changed</h2> <ul> <li>Save access token value as an hash in order to use lighter db indexes and avoid conflicts by @rmiccoli in https://github.com/indigo-iam/iam/pull/613</li> <li>Avoid upper case characters into VO names by @SteDev2 in https://github.com/indigo-iam/iam/pull/616</li> <li>Enable Redis scope matchers and well-known endpoint caching by @federicaagostini in https://github.com/indigo-iam/iam/pull/633</li> <li>Consider scope matcher based on string equality for custom scopes by @rmiccoli in https://github.com/indigo-iam/iam/pull/642</li> </ul> <h2>Added</h2> <ul> <li>Add SCIM endpoint entry to well-known endpoint by @federicaagostini in https://github.com/indigo-iam/iam/pull/631</li> <li>Update account AUP signature time via API by @rmiccoli in https://github.com/indigo-iam/iam/pull/608</li> <li>Add new JWT profile that rename 'groups' claim with 'roles' by @enricovianello in https://github.com/indigo-iam/iam/pull/637</li> <li>Add support for displaying specific language name in federation Metadata by @Sae126V in https://github.com/indigo-iam/iam/pull/640</li> <li>Add missing "Reuse refresh token" box within client management page by @rmiccoli in https://github.com/indigo-iam/iam/pull/650</li> <li>Add missing foreign keys to the database by @enricovianello, @rmiccoli in https://github.com/indigo-iam/iam/pull/632, https://github.com/indigo-iam/iam/pull/659</li> <li>Add OpenID Connect standard claims in ATs for WLCG JWT profile by @rmiccoli in https://github.com/indigo-iam/iam/pull/651</li> </ul> <h2>Fixed</h2> <ul> <li>Allow to add certificates with the same subject DN by @rmiccoli in https://github.com/indigo-iam/iam/pull/624</li> <li>Delete unsupported response types by @rmiccoli in https://github.com/indigo-iam/iam/pull/610</li> <li>Fix management of tokens lifetime following RFC9068 by @federicaagostini in https://github.com/indigo-iam/iam/pull/620</li> <li>Fix CERN Restore workflow by @hannahshort in https://github.com/indigo-iam/iam/pull/645</li> <li>Fix authz code flow with PKCE for IAM test client application by @rmiccoli in https://github.com/indigo-iam/iam/pull/653</li> <li>Fix authorization on IAM APIs such to avoid cases where access is granted to already approved scopes instead of effective token scopes by @enricovianello in https://github.com/indigo-iam/iam/pull/664</li> </ul> <h2>New Contributors</h2> <ul> <li>@SteDev2 made his first contribution in https://github.com/indigo-iam/iam/pull/616</li> <li>@federicaagostini made her first contributions in https://github.com/indigo-iam/iam/pull/620, https://github.com/indigo-iam/iam/pull/631 and https://github.com/indigo-iam/iam/pull/633</li> <li>@Sae126V made his first contribution in https://github.com/indigo-iam/iam/pull/640</li> <li>@hannahshort made her first contributions in https://github.com/indigo-iam/iam/pull/645</li> </ul&gt

indigo-iam/iam: INDIGO Identity and Access Management Service v1.8.3

<h2>Recommendations</h2> <p>It is <strong>strongly</strong> recommended to <strong>make a backup of your database</strong> before upgrading to v1.8.3 because several migrations are planned. Also, remember that for updates from versions prior to v1.7.2 you <strong>must</strong> first upgrade to v1.7.2. The migration to v1.8.3 will take an amount of time which will be proportional to the amount of currently active access tokens. This means that if you are deploying IAM with some kind of liveness and readiness probes, it's probably better to <strong>switch them off</strong> before upgrading. This migration may take a long <strong>time.</strong></p> <h2>Changed</h2> <ul> <li>Save access token value as an hash in order to use lighter db indexes and avoid conflicts by @rmiccoli in https://github.com/indigo-iam/iam/pull/613</li> <li>Avoid upper case characters into VO names by @SteDev2 in https://github.com/indigo-iam/iam/pull/616</li> <li>Enable Redis scope matchers and well-known endpoint caching by @federicaagostini in https://github.com/indigo-iam/iam/pull/633</li> <li>Consider scope matcher based on string equality for custom scopes by @rmiccoli in https://github.com/indigo-iam/iam/pull/642</li> </ul> <h2>Added</h2> <ul> <li>Add SCIM endpoint entry to well-known endpoint by @federicaagostini in https://github.com/indigo-iam/iam/pull/631</li> <li>Update account AUP signature time via API by @rmiccoli in https://github.com/indigo-iam/iam/pull/608</li> <li>Add new JWT profile that rename 'groups' claim with 'roles' by @enricovianello in https://github.com/indigo-iam/iam/pull/637</li> <li>Add support for displaying specific language name in federation Metadata by @Sae126V in https://github.com/indigo-iam/iam/pull/640</li> <li>Add missing "Reuse refresh token" box within client management page by @rmiccoli in https://github.com/indigo-iam/iam/pull/650</li> <li>Add missing foreign keys to the database by @enricovianello, @rmiccoli in https://github.com/indigo-iam/iam/pull/632, https://github.com/indigo-iam/iam/pull/659</li> <li>Add OpenID Connect standard claims in ATs for WLCG JWT profile by @rmiccoli in https://github.com/indigo-iam/iam/pull/651</li> </ul> <h2>Fixed</h2> <ul> <li>Allow to add certificates with the same subject DN by @rmiccoli in https://github.com/indigo-iam/iam/pull/624</li> <li>Delete unsupported response types by @rmiccoli in https://github.com/indigo-iam/iam/pull/610</li> <li>Fix management of tokens lifetime following RFC9068 by @federicaagostini in https://github.com/indigo-iam/iam/pull/620</li> <li>Fix CERN Restore workflow by @hannahshort in https://github.com/indigo-iam/iam/pull/645</li> <li>Fix authz code flow with PKCE for IAM test client application by @rmiccoli in https://github.com/indigo-iam/iam/pull/653</li> <li>Fix authorization on IAM APIs such to avoid cases where access is granted to already approved scopes instead of effective token scopes by @enricovianello in https://github.com/indigo-iam/iam/pull/664</li> </ul> <h2>New Contributors</h2> <ul> <li>@SteDev2 made his first contribution in https://github.com/indigo-iam/iam/pull/616</li> <li>@federicaagostini made her first contributions in https://github.com/indigo-iam/iam/pull/620, https://github.com/indigo-iam/iam/pull/631 and https://github.com/indigo-iam/iam/pull/633</li> <li>@Sae126V made his first contribution in https://github.com/indigo-iam/iam/pull/640</li> <li>@hannahshort made her first contributions in https://github.com/indigo-iam/iam/pull/645</li> </ul&gt